Researchers Create An Undetectable Rootkit That Targets Industrial Equipment

An anonymous reader quotes Bleeping Computer: "Two researchers presenting at the Black Hat Europe security conference in London revealed a method of infecting industrial equipment with an undetectable rootkit component that can wreak havoc and disrupt the normal operations of critical infrastructure all over the world. The attack targets PLCs (Programmable Logic Controllers), devices that sit between normal computers that run industrial monitoring software and the actual industrial equipment, such as motors, valves, sensors, breakers, alarms, and others."

Researchers say they packed their attack as a loadable kernel module [PDF], which makes it both undetectable and reboot persistent. The attack goes after PLC pin configurations, meaning the PLC won't be able to tell which are the actual input and output pins, allowing the attacker full-control to make up bogus sensor data, send fake commands, or block legitimate ones.
The researchers acknowledge that the attack is extremely complicated, but the article argues it would still be of interest to a state-sponsored actor.

Sounds like

a new disease with no symptoms from attentino whores!

Re:Sounds like

[mark-t]

I'm guessing you didn't read the.... oh, never mind. This is Slashdot, what am I thinking?

Undetectable = does nothing

[redelm]

At some point, anyone bent on malicious programming _wants_ to be detected -- when the payload does whatever malice intended. Before then, it wants to hide. Loadable kernel modules are a good way to hide, but not perfect. It might be detected by network activity (gotta love those lights) or power consumption (machine not sleeping). Both AFAIK still major detection mechanisms for all intrustions.

But LKM are a known security risk, and can be turned off in Linux. Easy with known hardware. At one time OpenBSD did not allow LKM.

Re:Undetectable = does nothing

[neilo_1701D]

But LKM are a known security risk, and can be turned off in Linux.

True... but the purchaser of (say) a CNC grinder or a motion control system or a 50 port temperature sensor or whatever other exotic industrial equipment you can dream up is NOT a Linux user. A good CNC operator will do things that makes your head spin but not have the faintest idea about network security. All they care about is plugging in the power and the network cable and uploading designs from Autocad.

At some point, anyone bent on malicious programming _wants_ to be detected -- when the payload does whatever malice intended. Before then, it wants to hide. Loadable kernel modules are a good way to hide, but not perfect. It might be detected by network activity (gotta love those lights) or power consumption (machine not sleeping). Both AFAIK still major detection mechanisms for all intrustions.

Industrial equipment is expected to run differently to a computer. The guys on the shop floor don't give a rats about clean shutdowns etc; they turn the power off. Your average shopfloor person sees the flashing lights on a PLC and doesn't understand what they see (unless it's an error condition they have been trained for).

You raise valid points... but consider where industrial equipment runs, and who runs it.

Re:Undetectable = does nothing

[thegarbz]

You raise valid points... but consider where industrial equipment runs, and who runs it.

I've considered it. If you're a small shop then you're also quite unlikely to be the target of this. If you're a big shop where these machines are utterly critical then you already have a dedicated team looking at it and maintaining it, separate from the team operating it.

hey, you got your computer in my PLC

[iggymanz]

Some of us are old enough to remember PLC that worked fine by themselves, not needing to be hooked to any other "computer". Maybe we need to start thinking about making things simpler again, where it makes sense, for reasons of security, robustness and even longer life of the equipment.

Re:hey, you got your computer in my PLC

Plowing the back 40 with oxen worked alright too. But we don't do things that way anymore for very good reasons. You obviously are not someone who has to deal with the business side of things. Forgoing all the efficiency benefits that advancing along the technological curve has gained us would cause any company that tried it to quickly be eaten alive by the competitors. Innovate or shrivel up and die in today's world.

Re:hey, you got your computer in my PLC

They have even started calling Arduinos PLCs now... It seems like most industries just don't give a f*ck anymore.

Re:hey, you got your computer in my PLC

[iggymanz]

wrong-headed thinking by you. I'm talking unnecessary use of tech that gets us nothing in return. You are obviously someone who has never seen a machine that could have lasted decades was destroyed because a CPU module with 5-7 lifespan failed.

Re:hey, you got your computer in my PLC

[PPH]

not needing to be hooked to any other "computer"

So how then you you propose to have the engineering department located in Bangalore update the PLC firmware?

Re:hey, you got your computer in my PLC

Keep it simple stupid is hard for most people today it seems.

Re:hey, you got your computer in my PLC

I have seen your ancient PLCs fail and trash equipment too. I don't think it was "fine" back in the day at all. But I have heard lots of people say why it was better in their day, except they gloss over all the bad stuff.

Re:hey, you got your computer in my PLC

[Puff_Of_Hot_Air]

I'm talking unnecessary use of tech that gets us nothing in return.

The major source for this exploit is going to be remote update of PLC firmware/logic. By remote, I don't mean "internet" but simply physically remote. This does give you something from a plant operation point of view as it is simply one more task that's automated, and potentially a very expensive task due to the dollars per hour for the task in question. So the tech does get you something, at the increased cost of additional "risk". These risks should be mitigable (security into the network, security of the network, security of the device), but it is certainly true that PLC level security is not what it should be. I expect we'll see things rapidly improve on this front as the IOT mass proliferation leads to many more problems, and hence more focus on the inherent weaknesses in this area, and hence forcing the big players to invest the necessary dollars in making their devices securable. SCADA and industrial automation has simply benefited from obscurity for a very long time and thus not had the selection pressure forcing the required evolution.

Re:hey, you got your computer in my PLC

[Lisandro]

Lets be fair now. I worked with SCADA systems nearly 20 years ago - computer-interfaced PLCs are nothing new.

Re:hey, you got your computer in my PLC

[Puff_Of_Hot_Air]

Exactly. What is more new is updating the PLC remotely, IP based networking to PLCs, more standardisation of PLC operating systems, more network connectivity between SCADA networks and the outside world, and far more activity by state actors in industrial automation. At the end of the day, a PLC is a computer hooked up to a network card, connected to another computer running SCADA most likely on windows. There is a lot of security and obscurity that makes compromising these things hard, but there is an awful lot more that the big vendors could be doing to harden things from a PLC security point of view.

Re:hey, you got your computer in my PLC

You must work in marketing...only such nonsense would come from there...

Re:hey, you got your computer in my PLC

Why couldn't an arduino be a PLC? It might not be able to be a safety PLC, but most devices run by PLCs do not need that (just add safety relays where needed). Nor do they need a lighting fast speed. All PLCs have processors in them. Not to mention the "Smart relays" that Siemens (LOGO!), Omron (ZEN) and others have, an Arduino can do shitloads more than those.

Re:hey, you got your computer in my PLC

Like requiring the frickin LKMs to be properly signed before they are allowed to run.

Re:hey, you got your computer in my PLC

Battlestar Galactica...no networking so Cylons could not exploit

Re:hey, you got your computer in my PLC

[thegarbz]

I'm talking unnecessary use of tech that gets us nothing in return.

Do elaborate. What part of attaching a computer to a PLC has provided nothing in return? What part of the PLC magically breaks when the CPU in the computer dies?

I'm honestly curious because when I work with these things on a daily basis I often hear from people talking about some useless computers somewhere and yet they aren't able to fix their PLC problem which is why they call me. First place I go is the computer whose existence they question. Likewise over the years of supporting ancient shit I've yet to be forced to replace a PLC due to a computer or some advanced feature. Network cards fail, even old proprietary ones fitting only in ISA slots can still be replaced. ... Or are you telling me you throw away expensive equipment because the display goes dead? If you do, please let me know I'd be happy to buy your old "useless" stuff off you.

Re:hey, you got your computer in my PLC

Some of us are old enough to remember PLC that worked fine by themselves, not needing to be hooked to any other "computer". Maybe we need to start thinking about making things simpler again, where it makes sense, for reasons of security, robustness and even longer life of the equipment.

Hear hear!

IT is the one of the weakest links in engineering. Need an industrial-grade switch? No way, says IT. Off-the-shelf commodity switches costs a fraction less and even if they do fail, they are cheaper to replace.

Move forward to when the switch fails (again) and losing control of 200 tonnes of material on a loading belt suddenly becomes an expensive problem to solve.

Re:hey, you got your computer in my PLC

[inasity_rules]

One of my clients has a C200H still running a bandsaw machine. It was made in 1990. Not connected to anything and still going strong.

Storing comments and variable names in the CPU is a really good innovation though...

Re:hey, you got your computer in my PLC

[iggymanz]

So you've never, for example, seen a stamping press line destroy their robotic feeding arms? I'm interested what you'd make out of robot arms crushed to cardboard thickness. The shit I'm talking about happens, happens because of unnecessary use of embedded controllers when PCL did the job just fine for decades

Re:hey, you got your computer in my PLC

[iggymanz]

oh do tell with specific examples of manufacturer of PLC and vendor of gear it destroyed. I'd be particularly delighted if in the tool and die realm because ....reasons.

Re:hey, you got your computer in my PLC

[thegarbz]

Oh I've seen it. I also saw it many years ago with PLCs. And I also saw it before. What you're describing is hardware failure without interlocks protecting the equipment. That is poor design and coding and nothing to do with advances in controllers.

I'm also interested in what you think a PLC is and does, if not en "embedded computer". The modern way these systems hook up has necessitated a dramatic increase in processing power and system complexity. This has not been "unnecessary" and has not given "nothing in return", and I maintain that failures of these systems should never result in damaged equipment, or injury if some designer does their job.

Re:hey, you got your computer in my PLC

[rkordmaa]

Someone physically goes on location and does it manually. If you update machine software you better verify that it actually changes what and how you want to change anyway, getting undesired results from software update is not exactly a rarity, especially if you don't have an actual production machine to test the software on first. Normally you hire a team of local service guys anyway, traveling half a world away to update PLC or swap some minor part in the machine gets rather pricey.

Re:hey, you got your computer in my PLC

[iggymanz]

sure, a PLC is a type of computer by some definitions. I'm amused you think the situation could be "interlocked" though, ram of press weighing more than a locomotive with robotic arm *supposed* to be in die area as thing is coming down, narrowly missing the arm in proper operation. You're going to have the arm zoom away while holding blank? or dump the blank in wrong place? you'd make a bigger mess than the arm getting crushed.

Re:hey, you got your computer in my PLC

[Cramer]

Unless they're programmed by paper tape, they will, at some point, be connected to some other computer -- directly (serial, ethernet) or indirectly (floppy, usb stick)

Sure, 30 years ago one wrote their ladder-logic program on paper and keyed it into the PLC through a tiny keypad (that's only rarely attached to anything.) It was a major pain in the ass.

Re:hey, you got your computer in my PLC

[Cramer]

Because that stopped stuxnet dead in it's tracks. Driver signing only makes the task of getting them loaded slightly more complicated. (i.e. obtain someone's signing key)

Re:hey, you got your computer in my PLC

True, the attacker would need to obtain a signing key. Depending on what you are running with the PLCs, you should use the proper procedures to protect your key. There are ways to make it practically impossible for the key to leak.

Re:hey, you got your computer in my PLC

[thegarbz]

You're describing one kind of interlock, one that is supposed to sit in the path of the energy. This would absolutely not work on large hydraulic machines, or machines which move with incredible force. However interlocks aren't all about stopping the moving, they are about removing energy.

One example of your die is to interlock the hydraulic fluid and have hydraulics lock the device in place. I've done the same thing with really large slide valves. They move with such force that a jammed valve can result in the actuator ripping itself off the valve body. There's no way to avoid that by blocking force on the actuator itself. Instead the massive actuator can be stopped dead in its tracks by a solenoid valve about the size of the one in my home espresso machine by locking the hydraulics against the cylinder.

Anyway I'm sure you can find a great many examples in general where safer design can't be applied, but I'll still happily call out your assertion that modern complex PLCs are less reliable than older simple ones, both with regards to software design and hardware failures. In fact it's quite the opposite as the process control industry has moved to far more stringent requirements on construction of these systems. Yes there are PLCs out there that are garbage, but that's the designers fault. There are PLCs several orders of magnitude more reliable now than they were in the past, and the idea of some electronic component wearing out after a few years is quite laughable.

not the hard part

[rkordmaa]

The difficulty of messing with industrial equipment is not how to mess with the software, but in how to get access to it in the first place. These days most newer machines don't actually have a physical PLC(unless you count safety plc that only handles the safety), instead they run a soft plc on a PC, generally side by side with windows using VT-x. Once you have access to such a machine messing with it is really not hard at all.

Laughable

The article is garbage. The author has no clue.

Re:Laughable

[MightyYar]

Nonsense. I long ago developed non-detectible malware, but I can't prove it because you can't detect it.

Re:Laughable

Hey look, I'm Anonymous. I can say shit.

Who loads unsigned kernel modules?

It does take some work to get into the position of being able to load a "kernel module". Is this work (the hardest part) "undetectable" too?

May only want second order effects detected

[raymorris]

> At some point, anyone bent on malicious programming _wants_ to be detected -- when the payload does whatever malice intended.

Not at all. Espionage is a clear example. Surely the target will notice when their ship gets blown up, but you don't want them to know it was due to espionage, much less computer, and certainly you don't want them to know WHICH computers you have compromised.

With industrial control specifically, you may want to make the final device fail, perhaps have an ICBM explode at launch, but you don't want them to know that it failed because you've caused their CNC machine to cut a slot to have wider clearance than specified.

Re: May only want second order effects detected

A more simple explanation would be affecting production by introducing very minor critical design flaws. Where tolerance is critical, a mm offset could cause a whole production run to be scrapped. This is expensive and could cause deadline or release schedule issues. A battery case just to small. A bolt hole just to small or big... minor things undetectable until measured.

Stux Net

Isn't this just a re-worked version of the US / Israel joint effort to kill Iran's uranium enrichment program?

Re: Stux Net

No, Wrong. (Because I said so)

"Wall." (Drops mic)

Sincerely,

Donald

Undetectable rootkit targets PLCs

[khz6955]

'Majid Hashemi : Avanade, a Microsoft / Accenture joint venture'

From billg:
To: mhashemi:
Cc: a.abbasi:
Msg: "Please write a report on Linux PLC malware so as to distract from the curent Microsoft Windows phishing/malware/virus infestation on the Internet."

Is there any other kind of rootkit except the undetectable kind. It's interesting that in that entire document they managed to mention Raspberry Pi 13 times, Linux 5 times and Microsoft Windows not at all.

Re:Undetectable rootkit targets PLCs

[Puff_Of_Hot_Air]

How many PLCs do you think run windows? Let me give you a hint; it's a round number. A very round number.

Re:Undetectable rootkit targets PLCs

You are absolutely incorrect. PC based control has been a thing for about 15 years now. Our plant e.g. uses Beckhoff TwinCat.

Re:Undetectable rootkit targets PLCs

Try double that. I was working for a company selling PC-based control software in the late 80s.

Re:Undetectable rootkit targets PLCs

[rkordmaa]

Huge number of PLC-s run on a windows machine, TwinCAT ftw! Best way to develop a machine by a long shot. If an industrial machine has a PC its a safe bet it runs windows, so all of them run windows.

Pick any two

[jenningsthecat]

This reminds of the old engineering saying "good, fast, cheap - pick any two". Only in this case it's "complex, configurable, secure - pick any two". If you want security then you either forego complexity, (so the device can't do a lot, plus all the combinations and permutations of its behaviour can be understood and determined in advance, plus its attack surface is correspondingly smaller), or you forego configurability, (meaning functionality is set in wires or DIP switches or ROM, not by software that can be altered).

Such complex and versatile systems, (such as the Internet), simply can't be protected adequately, unless they're disconnected from the outside world and therefore lose most of their advantages. What comprises solid protection today, probably won't tomorrow. We need to find ways of mitigating damage and recovering quickly; we can't rely on thwarting malicious hacking, because that's simply not possible in the long term. This applies equally to crappy consumer grade IoT gear and hardened SCADA systems. Yes, a good SCADA system is, (or should be), harder to compromise; but usually the payoff is commensurately bigger.

Re:Pick any two

[DrXym]

All PLC / SCADA networks should be closed networks. The biggest danger is some doofus in the factory connecting a PC or router to the same network and inadvertantly exposing it to the world. In most other cases, security can be managed adequately with some locked cabinets. Most PLCs already reside inside locked cabinets to stop workers from pulling wires out on purpose or by accident.

Re:Pick any two

[twdorris]

Only in this case it's "complex, configurable, secure - pick any two".

Hmmm. Ok. I'll take secure and configurable. Thanks.

Not sure your attempt to rework an "old engineering saying" was entirely successful.

I suspect your later use of the word "versatile" would have been a better choice here. "versatile, configurable, secure - pick any two". Yeah, that seems to work.

Re:Pick any two

[jenningsthecat]

Hmmm. Ok. I'll take secure and configurable. Thanks.

Not sure your attempt to rework an "old engineering saying" was entirely successful.

I suspect your later use of the word "versatile" would have been a better choice here. "versatile, configurable, secure - pick any two". Yeah, that seems to work.

Good point - thanks. I wasn't entirely satisfied when I wrote the comment, but didn't take the time to figure out why. Your wording expresses my meaning better than mine did.

Re: Pick any two

You are supppsed to be insulted and tell him to fuck a duck. Jeez. Take more caffeine, get into a driving altercation, and come back to respond again angry!

Reboot persistence?

[fph+il+quozientatore]

How does the "persistent over reboots" part work? I haven't read the whole paper, but a search for "reboot" or related terms returns nothing.

Call it "Clinton Foundation"

You're sold up the river, and the media ignores the corruption.

Nixon - delete 18 min of audio, forced to resign, become Democrat's villain

Hillary - delete 300,000 emails documenting corruption and having illegal classified data, rides to nomination, becomes Democrat's hero.

Re:Call it "Clinton Foundation"

Yes, well, the evil on the right has also gotten bigger by the same factor. Ultimately we all lose.

Real PLCs support signed firmware

[karlandtanya]

They've found a cheap PLC they can exploit. Buy a decent PLC and you have a fair shot against something like this.

I was a PLC monkey (still am) when Stuxnet was new. Shortly afterward I watched one of my Clients, an automation manufacturer with a fairly decent market share migrate their critical products to signed firmware. Controllers, ethernet bridges, and industrial switches to start with, but it continues--there's signed firmware options for more and more of the available products.

You buy the products from an authorized reseller with unsigned firmware (if it's available) and if you want signed, you can flash it yourself.
After that, there's no going back--from that point forward you can only flash signed firmware from the mfr.

You can still put bad things in the user code, but such is the nature of user programs. Those can be signed, fingerprinted, and locked too.

Of course none of that is "proof against" attackers, but a real PLC should certainly not be as vulnerable as an embedded controller from a terminal block manufacturer.

These Wago units run about 500 bucks. You can get cheaper units with built-in I/O from new places like plcdirect, or used from radwell.
Heck, if you've got some patience you can get a "PLC" from aliexpress for less than fifty bucks. Won't have Ethernet, though.
If I delivered a project to a Client built around any of that stuff, they would *not* pay me; they'd sue me.

It's going to cost you around $2K (depending on your multiplier, of course...) to get a modern micro PLC with included I/O from a real automation company--trust ain't cheap.

This shouldn't be surprising

[DrXym]

PLCs are designed to run on closed networks and normally have no protection around their firmware. They're expected to be commissioned and forgotten about. Some PLCs will even boot their firmware straight from an SD card slot which can be modified to make the PLC do anything. They are not secure in any way, shape or form.

Adding security could be done of course, and perhaps there are things to be done that should be. But for the majority of deployments total security adds complexity to protect against a threat which is extremely unlikely to ever happen. If you want to protect your PLCs from being tampered with, there is a far simpler solution - buy a big secure cabinet and a big padlock. If you're super paranoid, fill any firmware update slots with epoxy.

Act of war

[chromaexcursion]

As the article mentions, this would likely need a nation state sponsor.
This attack is unfocused. The attacker probably has no idea what the individual IO points mean or do.
The attack would be only to destroy.
That's an Act of War.

You're next move Dr. Strangelove?

I write industrial control software. Most of my customers don't have their process control computers accessible, except as needed. As for IO points, at least with what I work on, each system is unique.

Re:Act of war

You're next move Dr. Strangelove?

Is he?

fear mongering this is

I program PLC's and SCADA systems and industrial touch screens, set up instrumentation and fully design and build systems, and have a few VFD certified factory startup certifications and this is silly (I'm also have Linux / IT background / network security past as well). basically any system doing something even remotely important is put on its own network island, many times only trusted employees have access to any sort of programming software (if there's any at all on site). so yes they are not in an of them selves secure devices like web server or some other server that's publicly available on the internet protocols like MODBUS or ENIP or CIP weren't designed with security in mind but versatility (and no encryption some passwords from time to time to keep honest people honest but guys like me know the factory builtin work arounds to any sort of password in the ICS world). traditionally PLC's all used proprietary protocols like DeviceNet, ProfiBUS, ModbusPlus but now that everything is going Ethernet enabled IT people keep thinking hey this is now something that exists in my realm and i need to regulate it but that is completely wrong and its nothing like business computer networking at all! all it has in common is the media looks the same and there are usually IP addresses. unless you built a system with PLC's who's people paychecks or drinking water relies on it working as an IT guy you should not touch it! (and most dont thank you) don't install a bunch of updates on SCADA PC's! (also don't connect it to the internet! unless there is no other choice and not for long these should only be used for the purpose of controlling the machine only don't let those operators web-surf or have solitare!) and don't be worried about PLC network security because there really is none if you can ping a PLC then you can completely reporgram it you just need that manufacturers software there are no passwords to go "online" with it generally and you can upload the current running program and even see what its doing. as long as it is in a completely isolated environment then that's idea and no WIFI! on process networks. its often a good idea to disconnect USB ports that connect to the front of the PC even.

this stuff has to work day in day out 24 hours a day reliability and predictably every time and with protocols IT people have no idea about so IP yes TCP maby UDP probably not and there are may other protocols that exist under the IP layer that are neither TCP or UDP which I've see IT people get hung up on time and time again thinking that there's nothing else out there and so they think its a great idea to put a firewall between my procecess equipment and Allen Bradley has an ethernet IP deployment guide that also explains the right way to deploy a large system and I have read it and fully agree with it and the all knowing IT people just throw that book out and tell me no thats not what were going to do because were security conscious and then some idiot in the middle of the night is tasked with upgrading the firmware on all the switches remotely at site X as usual and then shuts down the whole plant remotely which I've heard of horror stories where people almost died when a valve flew open which should not have (granted there was also some poor design fail close vs fail open stuff going on as well). but basically you cant treat this like you do an operating system vulnerability because because it would be completely irresponsible to have a PLC be publicly accessible to the internet it should require physical access to interfere with and physical access should be limited to those who need it. so security is a good thing but if the attack is this outlandish its not an issue and if you go too far with security be warned IT guy you may get fired for taking down a facility when you were doing what you normally do with business equipment which can go down briefly here and there process equipment generally can't go down EVER. as mr scott would say the more complicated the plumbing the easier it is to plug up the drain which is quit

Bullshit

[gweihir]

Of course this is detectable. If it is loaded into the PLC persistently, then you can find it via a JTAG read and compare. If not, you can detect it during load.